Debian 9859 Published by

The following updates has been released for Debian:

[DLA 430-1] libfcgi security update
[DLA 431-1] libfcgi-perl security update
[DLA 433-1] xerces-c security update
[DLA-432-1] postgresql-8.4 update
[DSA 3492-1] gajim security update
[DSA 3493-1] xerces-c security update



[DLA 430-1] libfcgi security update

Package : libfcgi
Version : 2.4.0-8+deb6u1
CVE ID : CVE-2012-6687
Debian Bug : 681591

It was discovered that there was a remote denial of service in
libfcgi, a library for implementing the FastCGI web server protocol.

For Debian 6 Squeeze, this issue has been fixed in libfcgi version
2.4.0-8+deb6u1.

[DLA 431-1] libfcgi-perl security update

Package : libfcgi-perl
Version : 0.71-1+squeeze1+deb6u1
CVE ID : CVE-2012-6687
Debian Bug : 815840

It was discovered that there was a remote denial of service in libfcgi-perl,
a helper library for implementing the FastCGI web server protocol for Perl.

For Debian 6 Squeeze, this issue has been fixed in libfcgi-perl version
0.71-1+squeeze1+deb6u1.

[DLA 433-1] xerces-c security update

Package : xerces-c
Version : 3.1.1-1+deb6u2
CVE ID : CVE-2016-0729

Gustavo Grieco discovered that xerces-c, a validating XML parser library
for C++, mishandles certain kinds of malformed input documents,
resulting in buffer overflows during processing and error reporting.
These flaws could lead to a denial of service in applications using the
xerces-c library, or potentially, to the execution of arbitrary code.

[DLA-432-1] postgresql-8.4 update

Package : postgresql-8.4
Version : 8.4.22lts6-0+deb6u1

Several bugs were discovered in PostgreSQL, a relational database server
system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze.
This new LTS minor version contains fixes that were applied upstream to the
9.1.20 version, backported to 8.4.22 which was the last version officially
released by the PostgreSQL developers. This LTS effort for squeeze-lts is a
community project sponsored by credativ GmbH.

This release is the last LTS update for PostgreSQL 8.4. Users should
migrate to a newer PostgreSQL at the earliest opportunity.

## Migration to Version 8.4.22lts6

A dump/restore is not required for those running 8.4.X. However, if you are
upgrading from a version earlier than 8.4.22, see the relevant release notes.

## Fixes

Fix infinite loops and buffer-overrun problems in regular expressions
(Tom Lane)

Very large character ranges in bracket expressions could cause
infinite loops in some cases, and memory overwrites in other cases.
(CVE-2016-0773)

Perform an immediate shutdown if the postmaster.pid file is removed
(Tom Lane)

The postmaster now checks every minute or so that postmaster.pid is
still there and still contains its own PID. If not, it performs an
immediate shutdown, as though it had received SIGQUIT. The main
motivation for this change is to ensure that failed buildfarm runs
will get cleaned up without manual intervention; but it also serves
to limit the bad effects if a DBA forcibly removes postmaster.pid
and then starts a new postmaster.


[DSA 3492-1] gajim security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3492-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
February 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gajim
CVE ID : CVE-2015-8688
Debian Bug : 809900

Daniel Gultsch discovered in Gajim, an XMPP/jabber client. Gajim didn't
verify the origin of roster update, allowing an attacker to spoof them
and potentially allowing her to intercept messages.

For the oldstable distribution (wheezy), this problem has been fixed
in version 0.15.1-4.1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 0.16-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 0.16.5-0.1.

For the unstable distribution (sid), this problem has been fixed in
version 0.16.5-0.1.

We recommend that you upgrade your gajim packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3493-1] xerces-c security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3493-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xerces-c
CVE ID : CVE-2016-0729
Debian Bug : 815907

Gustavo Grieco discovered that xerces-c, a validating XML parser library
for C++, mishandles certain kinds of malformed input documents,
resulting in buffer overflows during processing and error reporting.
These flaws could lead to a denial of service in applications using the
xerces-c library, or potentially, to the execution of arbitrary code.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.1.1-3+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 3.1.1-5.1+deb8u1.

We recommend that you upgrade your xerces-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/